In this case the error code 401 Unauthorized will be the right HTTP error code, because the existing session token doesn't authorize you any more. Sending the error code 404 is incorrect, because the resource still exists but you aren't currently authorized to see it. Actually a session token is only a shortcut to avoid providing credentials for every request.